A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019

Note: Script is not supported (not tested) in Windows Server 2008 en Windows Server 2008 R2. Those operatingsystems are End-of-life.

In this post, I have demonstrated a complete technique to escalate privileges and escape Windows Server Containers. Users should follow Microsoft’s guidance recommending not to run Windows Server Containers and strictly use Hyper-V containers for anything that relies on containerization as a security boundary.

894 GB of data was stored in an unsecured Elasticsearch cluster. UFO VPN claimed the data was “anonymous”, but based on the evidence at hand, we believe the user logs and API access records included the following info:

- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Geo-tags
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers

Here is a story of one specific vulnerability in ClickHouse (CVE-2019–15024) replication protocol but it also illustrates how the increase of attack surface can be exploited.